Here’s an example of how to timely detect
and disclose a breach transparently.

Halloween Security Breach
By
Sean Blanchfield

PageFair security breach has been
resolved – here is what you need to know.

Update 1 – 21:30 GMT November
1, 2015

Core Facts

If you are a publisher using our free
analytics service, you have good reason to be very angry and
disappointed with us right now. For
83 minutes last night, the PageFair analytics service was
compromised by hackers, who succeeded in getting malicious javascript
to execute on websites via our service, which prompted some visitors
to these websites to download an executable file. I am very sorry
that this occurred and would like to assure you that it is no longer
happening.

The attack was sophisticated and
specifically targeted against PageFair, but it is unacceptable that
the hackers could gain access to any of our systems. We identified
the breach immediately, but it still took over 80 minutes to fully
shut it down. During this time, visitors to websites owned by the
publishers who have placed their trust in us were targeted by these
hackers.

The damage was mitigated by our standard
security practices, but the attackers still gained access. I want to
take some time here to describe exactly what happened, how it may
have affected some of your visitors, and what we are doing to prevent
this from ever happening again.

In the past week, many pensioners have
told the Daily Mail how they have fallen victim to conmen pretending
to be from TalkTalk. They often claim to be offering compensation
for the data breach before asking for victims’ bank account
details.

Last night a senior cyber-crime officer
warned: ‘The fraudsters look for victims in their 60s, 70s, 80s and
90s. Some of the conmen have call centre training which means they
sound genuine when they call up pretending to be from a telecoms
company.

If you know someone who might be at risk, do give
them a heads up about this. It’s not uncommon to see criminals use
stolen data to try to phish for more, but it’s worth a reminder.

(Related) Could this be the result of the
TalkTalk breach? Customers using the same password on both systems?
Would customers be on both at the same time? Perhaps they quit
TalkTalk and opened accounts on Vodafone?

Criminals used customer
details gained from "an unknown source" to try
to access accounts between Wednesday and Thursday, the company said.

The telecommunications giant said 1,827 customers
had their accounts accessed, with criminals potentially gaining their
names and some bank details.

But it
insisted its systems had not been breached.

… Vodafone said its security protocols had
been "fundamentally effective", but the criminals had
potentially gained customers' names, their mobile phone numbers, bank
sort codes and the last four digits of their bank account numbers.

… The BBC's technology correspondent Rory
Cellan-Jones said the email
addresses and passwords criminals used to try to access Vodafone
accounts appeared to have been bought on the dark web. [This
makes it look like there was a breach. Bob]

Maybe it's me, but I don't see much of a change
here. Perhaps an increase in resources devoted to cybersecurity as
new technologies are adopted, but the boards I worked with always
seemed to understand the risks of IT.

Deloitte:
“Among the most complex and rapidly evolving issues companies must
contend with is cybersecurity. With the advent of mobile technology,
cloud computing, and social media, reports on major breaches of
proprietary information and damage to organisational IT
infrastructure have also become increasingly common, thus
transforming the IT risk landscape at a rapid pace. International
media reports on high-profile retail breaches and the major discovery
of the Heartbleed security vulnerability posing an extensive systemic
challenge to the secure storage and transmission of information via
the Internet have shone a spotlight on cybersecurity issues.
Consequently, this has kept
cybersecurity a high priority [Not
a new or increased priority Bob]
on the agenda of boards and audit committees…”

Imagine a burglar stalking his victims
and taking pictures of their cars in parking lots, knowing their
whereabouts and then breaking into their homes.

Eden Prairie police say that’s exactly
what 45-year-old David William Pollard was doing, but they didn’t
know how until he was arrested leaving a Minnetonka home on April 14.

[…]

Inside Pollard’s car that night, police
found a slew of stolen property. In addition, police say they
uncovered how Pollard was able to find his victims – through a
subscription-based online account that allowed him to look up
individuals by their license plate numbers.

5 EYEWITNESS NEWS created an account on the
website in question and searched a co-worker's license plate number.
The results included his date of birth, name, address, make and model
of car and even his vehicle’s identification number.

… DPS claims it took action against the bulk
data purchaser who was re-selling this information to the website in
question in 2006. It claims the purchaser’s access was terminated.
But our investigation revealed the license plate data on that
website was updated as recently as Dec. 31, 2011. Our employee whose
license plate number was checked purchased the vehicle in 2009, three
years after DPS claims it terminated the particular purchaser’s
access to bulk data purchases.

… The Department of Public Safety stopped
selling this personal information in bulk on Jan. 1. But unless
you’ve moved or purchased a new car, your information is still out
there for anyone to find.

Removing hoods is probably good. Unless of
course, they point to the wrong people. Or someone starts targeting
them with 'sticks and stones.' Will they recognize that someone is
on an “enemies list” rather than a membership list?

So far, there have been three pastes, all linked
from @YourAnonNews’ Twitter account. The first paste contains two
email addresses associated and 10 phone numbers without names or
additional details. The second paste contains an 800- phone number,
10 phone numbers without names, and another email address. The third
paste contains more phone numbers and 21 email addresses, the
majority of which are on .ru domains.

Note that not all the phone numbers are registered
to individuals, but one of the numbers DataBreaches.net checked using
reverse phone lookup was reported to be associated with the KKK by
someone on 800Notes.com who reported getting a call from the number
which he described as KKK
– “threatening.”

Some of the information in the pastes does not
appear to be new, as at least one number checked by DataBreaches.net
had been leaked before following Ferguson with the individual’s
full name, address, credit card details, etc.

Note: In a fourth paste that actually preceded the
three noted above, “Amped Attacks” (@sgtbilko420 on Twitter)
released the names of nine politicians – four U.S. Senators and
five mayors – whose email addresses showed up in KKK databases he
claims to have hacked. Amped Attacks does not provide their email or
postal addresses, or phone numbers, and the basis for him declaring
them part of KKK or a supporter of them is that he can seemingly come
up with no reason for their email to be in a KKK database unless
they’re a member or a support.

In addition to the paste, Amped Attacks has also
taken down some KKK sites, with evidence provided in his
tweet stream. In one tweet, he declared that he is not part of
Anonymous but respects #OpKKK.

I expected much more from South Korea but then
these decisions are made by politicians not techies.

The report authors found that children's personal
details were not stored securely and that the parental filters
applied were easy to disable.

"Smart Sheriff is the kind of babysitter that
leaves the doors unlocked and throws a party where everyone is
invited," said independent researcher Colin Anderson, who worked
on the report, at the time.

Snapchat
reassures users that photo messages are still totally private

Photo-messaging app Snapchat has reassured users
that their photos will not be stored on its servers after changes to
its privacy policy caused widespread confusion.

The Venice, California-based company published
a blog post on Sunday clarifying changes that were made to its
Privacy Policy and Terms and Services last week. Photos shared
through Snapchat disappear after the recipient has viewed them, but
users have been fretting that the updates allowed Snapchat to store
photos and share them with advertisers.

Photo messages "are automatically deleted
from our servers once we detect that they have been viewed or have
expired", just as they were before, Snapchat said. It does not
stockpile pictures, and never has.

I'm not sure this is how I would teach lawyers to
code, but I'll pass it along anyway.

V. David Zvenyach – “What?
Lawyers and Coding? It’s true. Lawyers can code. In
fact, if you’re a lawyer, the truth is that it’s easier than you
think. I am a lawyer, and a coder.1
In the course of two years, I have gone from knowing essentially
nothing to being a decent coder in several languages. This
book is intended to drastically shorten that time for others who,
like me, decide that they want to learn to code. Why this book? One
thing that I discovered, when learning to code, is that there are
surprisingly few freely available books on the basics of
coding, books that assume you know nothing about coding,
books that assume you went to law school because you didn’t like
numbers. And, we need more lawyers who code…”

Not being one for “binge TV watching” I could
see myself doing some serious binge reading. Especially as books
become as cheap as I am. This points you to an interesting article.

New York Times – A
Penny for Your Books By Dan Nosowitzoct, October 26, 2015: “…in
recent years, my bookshelves have swelled. Old John le Carré and
Donald E. Westlake and Lawrence Block titles are easier than ever to
find online, along with pretty much every other book published in the
last century. They’re all on Amazon, priced incredibly low, and
sold by third-party booksellers nobody has ever heard of… In 2014,
publishers sold just over 2.7 billion books domestically, for a total
net revenue of just under $28 billion, a larger profit than in the
preceding two years, according to the Association
of American Publishers. There were just over 300,000 new titles
(including re-releases) published in the United States in 2013. The
book industry may not be as strong as it once was, but it’s still
enormous, and generates a considerable amount of surplus product each
year.”

[From
the article:

Enter the penny booksellers. There are dozens of
sellers — Silver Arch Books, Owls Books, Yellow Hammer Books and
Sierra Nevada Books — offering scores of relatively sought-after
books in varying conditions for a cent. Even including the standard
$3.99 shipping, the total sum comes out to several dollars cheaper
than what you’d pay at most brick-and-mortar used-book stores.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.